Unable to Add WFS Layer for Users with `View` Permission

[lperozzi]

Description: I have successfully set up the OAuth2 authentication in geonode/QGIS. Following the instructions provided in these documentation, I have made progress, but I encountered an issue. Users with only the "view" permission are unable to add a WFS layer in QGIS. It seems that the user must have either the edit, download, or manage permission to access the layer through WFS services in QGIS. Any hints?

Steps to Reproduce:

1. Set up OAuth2 authentication as per the provided documentation.
2. Assign a user/group with only "view" permission to a specific layer in geonode.
3. Attempt to add the WFS layer in QGIS for the user/group with "view" permission.

Expected Behaviour: Users with "view" permission should be able to add WFS layers in QGIS and access the relevant data.

Actual Behaviour: Users with only "view" permission are unable to add the WFS layer in QGIS.

Additional Information: Geonode version: 4.1.0 GeoServer version: 2.23.0 QGIS version: 3.16 and 3.22

[giohappy]

This is expected, although a bit counterintuitive for the case of WFS: view means only visualize the data without access to the underlying data (which requires the download permission). WFS gives access to the underlying data (not a rendered view as with WMS), that's whydownload` is required.

[lperozzi]

Thank you for the clarification. However, some aspects are still unclear to me. When I grant a user download permissions for a dataset, the Geofence Data rules are set to deny WFS transactions for that user. Despite this, when I add this dataset through a QGIS WFS private connection using the user's credentials, I find that I still have editing privileges. Is this behaviour expected? If so, what is the difference between download and edit permissions? Additionally, is there a way to limit access to only view a dataset through WFS? Many thanks for your help.

[gannebamm]

Hi @lperozzi

When I grant a user download permissions for a dataset, the Geofence Data rules are set to deny WFS transactions for that user.

This is how it should work. If you can 'see' the vector data from a WFS, you can always download that data. Hence to enable WFS connections, a download perm needs to be given.

Despite this, when I add this dataset through a QGIS WFS private connection using the user's credentials, I find that I still have editing privileges. Is this behaviour expected?

This behaviour is not expected. By default, only the owner of the dataset shall be given edit permissions (meaning WFS-transactional).

Could you please try to use https://github.com/GeoNode/QGISGeoNodePlugin as a separate test to enable private layer access? With that plugin you will use basic auth instead of OAuth (https://geonode.org/QGISGeoNodePlugin/user-guide/#configure-authentication).

[lperozzi]

Hi @gannebamm,

I tried using the QGIS geonode plugin with QGIS 3.22 (it appears that this plugin is not available for 3.16). However, after setting up the basic authentication, I encountered the following error:

Here is my GeoNode Connection Configuration, and the test connection was successful:

[giohappy]

@lperozzi I was troubleshooting that issue right now and it happened that after closing and reopening QGIS it went away. Unfortunately, it seems to be related to some nasty issue within the asynchronous engine behind the discovery functionality. Please try reopening QGIS and see how it goes meanwhile.

I confirm that the plugin behaves as expected. You can save edits only if the edit permissions are granted. Apparently, QGIS shows the editing tools in any case. We will investigate if it's something in QGIS or the returned capabilities (which by the way look good)

[lperozzi]

@giohappy, I can confirm that after reopening QGIS, the problem disappeared. Additionally, with the plugin, it is indeed not possible to commit edits for a layer with download permissions.

To clarify, for QGIS version 3.16, since the plugin is unavailable, I should utilize the WFS/OCG API - Features source connection. Instead of setting up OAuth2, I should use Basic authentication, correct?

[giohappy]

To clarify, for QGIS version 3.16, since the plugin is unavailable, I should utilize the WFS/OCG API - Features source connection. Instead of setting up OAuth2, I should use Basic authentication, correct?

@lperozzi if you use direct calls to Geoserver you can either use the Bearer Authorization header or the access_token GET parameter. Example: https://development.demo.geonode.org/geoserver/ows or https://development.demo.geonode.org/geoserver/geonode/<yourlayername>/ows

At the moment Basic Auth is only available if you proxy through GeoNode (/gs endpoint). Example: https://development.demo.geonode.org/gs/ows